An Overview of IPA/IDM - Identity Management and why you should be using it in your Enterprise

An Overview of IPA/IDM - Identity Management and why you should be using it in your Enterprise

IPA/IDM is an Identity Management Solution that manages access to everything from users to groups to servers and other services.  The terms IPA and IDM are essentially interchangeable.  IPA stands for: Identity Policy Audit while IDM stands for: Identity Management. They refer to the exact same software product.

In short, IPA/IDM or Identity Management is for practical purposes a Linux Domain Controller much like Active Directory (AD).

IPA/IDM runs natively on Linux, but readily integrates with Windows environments as well - much like a trust between (2) Active Directory domains.

For much of the history of mixed use environments - those with a mix of Windows and Linux/Unix workstations and servers - these different environments were often managed as separate domains due to a lack of compatibility.  Often Windows domains would use Active Directory (AD) to manage users and network resources; and Unix/Linux environments would use tools such as Network Information System (NIS).

Everything from user accounts to host/DNS entries and access to network resources/shares was managed separately as distinctive environments.  This effectively doubled the amount of work required to manage the domains.

Today there are many tools available that unify Windows and Linux/Unix environments; some are commercial and others are freeware/opensource.

This article will focus on FreeIPA and it's variants from vendors such as RedHat, Fedora and CentOS.  Let's start with the basics:

In either case, IPA/IDM is a highly secure, highly granular and high availability access management software that in many cases is available for free.  IPA/IDM will allow administrators to unify Windows and Linux/Unix environments including user accounts, access to shares and name resolution (DNS) among other capabilities including Single Sign On (SSO) capabilities.

Managing users and other resources in the domain can most often be performed via command line or using a Web Based GUI Interface:

So what makes IPA/IDM so secure?

IPA/IDM uses a combination of technologies - including LDAP -  to provide highly secure Identity Management, including:

*Kerberos: A network authentication protocol which means passwords are never transmitted over the network.

*Certificates: Certificates are used to validate/certify the identity of IPA domain resources such as clients/hosts, 

*SSSD: System Security Services Daemon allows for remote authentication and interfaces with Name Switch Service (NSS) and PAM.  SSSD requires all communication channels to be encrypted.

*LDAPS: Fully ldaps compliant or use ldap:389 with TLS.

*Highly Granular: IPA/IDM allows for a very high degree of granularity including Role based Access (RBAC) and Host based Access (HBAC).  

*Centrally manage access to domain resources. No need to rdist files (very insecure) between systems.

*Full integration with SELinux

*Integrated Secure DNS

*Easy to establish a replica server.



The unification of Services

IPA/IDM unifies a number of services to make all of this security and manageability of users and resources work.  Please see the graphic below:

As a system administrator, most of these components that make up a IPA/IDM server are transparent; with minimal or zero intervention required.

As mentioned, it's very easy to unify Windows/Linux environments with a high level of security as IPA/IDM is well documented/supported and easy to install.